This Page Is Inserted by IFW Operations 
and is not a part of the Official Record 

BEST AVAILABLE IMAGES 



Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 



BLACK BORDERS 

TEXT CUT OFF AT TOP, BOTTOM OR SIDES 
FADED TEXT 
ILLEGIBLE TEXT 
SKEWED/SLANTED IMAGES 
COLORED PHOTOS 

BLACK OR VERY BLACK AND WHITE DARK PHOTOS 
GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox, 



(19) 



J) 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 





(12) 



(43) Date of publication; 

02.01.1997 Bulletin 1997/01 

(21) Application number: 96303728.8 

(22) Date of filing: 24.05.1996 



(n) EP 0 751 453 A1 

EUROPEAN PATENT APPLICATION 

(51) Intel 6 G06F 1/00 



(84) 


Designated Contracting States: 


• Sigler, Wayne Dube, 




DE FR GB 


Austin, Texas 78730 (US) 


(30) 


Priority: 30.06.1995 US 497300 


(74) Representative: Williams, Julian David 






IBM United Kingdom Limited, 


(71) 


Applicant: INTERNATIONAL BUSINESS 


Intellectual Property Department, 




MACHINES CORPORATION 


Hursley Park 




Armonk, NY 10504 (US) 


Winchester, Hampshire S021 2JN (GB) 


(72) 


Inventors: 




• 


Kells, Timothy Roger 






Round Rock, Texas 78681 (US) 





(54) Method and apparatus for a system wide logon in a distributed computing environment 



(57) A system wide sign-on capability in a distribut- 
ed computing environment (DCE) is provided. Acquired 
distributed computing environment credentials are usa- 
ble by any process/window on a desktop. DCE logon 
application programming interfaces create and recog- 
nize the presence of a credentials cache capable of be- 
ing used by DCE processes in the system. System wide 
logon occurs whenever the logon API is invoked with 
the environment variable set. This API is called as a re- 
sult of the system logon option having been selected. 
The API updates a global variable with the name of the 
credentials cache. A process variable is set to the global 
value by initialization logic for all subsequently invoked 
applications. As a result, any calls made by these appli- 
cation will acquire the credentials identified by the vari- 
able. 
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Description 

The present invention relates to data processing 
systems, and more particularly, to the propagation of a 
user's identity throughout a distributed computing envi- 5 
ronment. 

Computer users are demanding flexible and sophis- 
ticated techniques in hardware and software implemen- 
tations. This flexibility and sophistication is readily evi- 
dent in evolving systems which alleviate requiring users 10 
to logon multiple times to access nodes (systems) in a 
network. The concept of a "single sign-on" provides the 
ability to logon securely to several systems at once us- 
ing a single access code. Prior to these developments, 
users who accessed multiple applications or systems 1 & 
during the course of a day encountered many frustra- 
tions. The use of a word processing program required 
a user have a password to access the application. A sec- 
ond password was used to logon and access electronic 
mail. And the list goes on. A recent study revealed that 20 
the average user of four applications spends about 44.4 
hours per year just logging on to those applications. If 
the same user had a single sign-on capability, the time 
required to log on to the four applications is reduced to 
about 17 hours per year. 25 

A single sign-on capability has been implemented 
by the IBM Corporation in a version of the Operating 
System/2 product. This function is accomplished by 
keeping a single copy of five master system files which 
are shared by every node. A network administrator ar- 30 
ranges the file tree of each user so that the same direc- 
tories and files are seen regardless of which node the 
user is logged on to. The file tree provides the capability 
of logging on from any machine and providing an iden- 
tical interface from any node, and in effect provides a 35 
single system image of the environment from any of the 
nodes. In summary, the single system image is imple- 
mented by keeping only one master copy of the above 
system files at a master node. Each node has a file of 
instructions executed at system initial program load 4Q 
(IPL). The master files are loaded over the node's own 
local copies of these files at IPL. The major deficiency 
of this method is the requirement for the user to logon 
to the node before the system wide capabilities can be 
realized. 45 

A second method for eliminating the need for mul- 
tiple logon has been proposed for the Operating Sys- 
tem/2 EE Database Manager product. (OS/2 is a trade- 
mark of the IBM Corporation). In the current implemen- 
tation of the Operating System/2 EE Database Manager so 
product, a logon menu is presented to a user attempting 
to access a protected object. The function providing the 
menu is called by the requesting subsystem when it is 
determined that there has been no valid logon. The pro- 
posed implementation provides a remote authorization 55 
table (RAT) to alleviate the multiple logon problem. On 
the user's initial logon (either to the local system or to a 
remote node), a table is built containing an entry of the 



user's identity (userid), a password, and identity of the 
node (e.g. , local or remote node name) to which the user 
is logging on. If the resource to be accessed is on a re- 
mote server, the database manager is called by the sub- 
system to obtain the userid/password for the target 
node. If no userid/password is in the target node, the 
most recently used remote for another node is returned. 
If no logon has occurred, then the local userid/password 
is passed to the subsystem requestor for use on that 
system. If the information returned is other than that of 
the node, a RAT entry is built, composed of the node 
name and the userid and a password is returned. If the 
password fails, the subsystem will call user manage- 
ment services to bring up a logon menu to allowthe user 
to provide the correct password for the remote server 
node. This node is then saved in the RAT for future use 
replacing the incorrect RAT entry previously built for the 
node. Like the earlier method, this method too requires 
a user logon before the system wide capabilities are 
available to the user. 

It is desirable to have a system wide logon capability 
accessible to a user without requiring the user logon to 
a system. 

In accordance with the present invention, there is 
now provided a method for locating a user's credentials 
for using a local computer system in a distributed com- 
puting environment, comprising the steps of: determin- 
ing whether a pointer to the user's credentials exists, if 
so, using the user's credentials; if not, determining 
whether a default set of credentials exists, if so, using 
the default set of user credentials; and if not, using a set 
of credentials for the local computer system. 

Viewing the present invention from another aspect, 
there is now provided apparatus for locating a user's 
credentials for use in a local computer system in a dis- 
tributed computing environment, comprising: means for 
determining whether a pointer to the user's credentials 
exists, if so, using the user's credentials; if not, means 
for determining whether a default set of credentials ex- 
ists, if so, using the default set of user credentials; and 
if not, means for using a set of credentials for the local 
computer system. 

Viewing the present invention from yet another as- 
pect, there is now provided a method of providing sys- 
tem wide logon capability to a user at a workstation in a 
network in a distributed computing environment, com- 
prising: acquiring and storing a user's credential in a lo- 
cal storage area; establishing a logon environment for 
said system wide logon capability; detecting the loading 
of an application calling for said system wide logon ca- 
pability and accessing said user's credentials and auto- 
matically logging said user onto said network. 

In a preferred embodiment of the present invention, 
there is provided a method and apparatus for providing 
a single sign-on code in a distributed computing envi- 
ronment. The embodiment renders the distributed com- 
puting environment (DCE) portion of a single user logon 
into a system wide logon credential. The acquired dis- 
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tributed computing environment credential is usable by 
any process/window on a desktop. DCE logon APIs (Ap- 
plication Programming Interfaces) create and recognize 
the presence of a credentials cache capable of being 
used by DCE processes in the system. DCE applica- 
tions invoked after a user log-off do not inherit creden- 
tials established by the previous system logon. Applica- 
tions started by the user when logged on will continue 
to use logged off user's credentials. System wide logon 
occurs whenever the SEC_LOGIN_SET_CONTEXT 
API is invoked with the environment variable SINGLEL- 
OGIN set. This will be the case when the API is called 
by the Lan Server (LS) integrated logon program in the 
DCE2.0 environment. This API is called by DCELOGON 
as a result of the system logon option having been se- 
lected. The API will update a Global with the name of 
the credentials cache. The variable, KRBSCCNAME, 
will be set to the global value by SEC. DLL initialization 
logic for all subsequently invoked applications using 
DCE security if it is not set in the environment already 
(e.g., a per-process DCELOGON will override the de- 
fault context). As a result, any SEC_LOGON calls made 
by these application will acquire the credentials from the 
variable. 

A preferred embodiment of the present invention 
will now be described by way of example only, with ref- 
erence to the accompanying drawings, in which: 

Figure 1 is a block diagram representation of a com- 
puter network; 

Figures 2A and 2B are block diagrams of the func- 
tional blocks required for implementation of a sys- 
tem wide logon capability; 

Figure 2C is a block diagram of the major compo- 
nents of an example of the system wide logon in- 
vention; 

Figure 3 is a flow diagram of the security initializa- 
tion routine; 

Figure 4 is a flow diagram of the "Set Context" func- 
tion for an example of the system wide logon inven- 
tion; 

Figure 5 is a flow diagram of the "Get Context" func- 
tion for an example of the system wide logon inven- 
tion; 

Figure 6 is a flow diagram of the purge/release con- 
text for an example of the system wide logon inven- 
tion; and 

Figure 7 is a block diagram of a computer system 
capable of implementing a preferred embodiment 
of the present invention. 



The embodiment of the invention to be described 
shortly provides a method and apparatus for propagat- 
ing a distributed computing environment identification 
throughout the entire OS/2 process tree even if the iden- 

s tification is not logged in at the root process. As used in 
this application and known to those skilled in the art, a 
distributed computing environment (DCE) frees users 
from being tied to any particular node in a network. DCE 
is a set of communications protocols defined by the 

10 Open Software Foundation. DCE allows a user to ac- 
cess a "home" directory from any machine in the DCE. 
In addition, DCE allows unlike hardware platforms and 
operating systems to communicate and share resourc- 
es. 

15 Turning now to Figure 1 , there is shown a distributed 
data processing system/DCE in a communication net- 
work. In this environment, each processor at a node in 
the network potentially may access all the files in the 
network no matter at which nodes the files may reside. 

20 As shown in Figure 1 , a distributed network environment 
1 may consist of two or more nodes A, B and C connect- 
ed through a communication link or network 3. The net- 
work 3 can be a local area network (LAN) or a wide area 
network (WAN), the latter comprising a switched or 

25 leased teleprocessing (TP) connection to other nodes 
or to a SNA (System Network Architecture) network of 
systems. At any of the nodes A, B or C there may be a 
processing system 10A, 10B or 10C, such as an IBM 
PS/2 Personal Computer or IBM RISC System/6000 

30 workstation. Each of these systems 10A, 10B and 10C 
may be a single user system or a multi-user system with 
the ability to use the network 3 to access files located 
at a remote node in the network. 

With reference to Figures 2A and 2B, block dia- 

35 grams of the major components of the system wide lo- 
gon procedure are shown. Figure 2A illustrates the sys- 
tem logon process where the credentials routine is ac- 
quired as shown in block 100. This block represents a 
series of public API calls which are responsible for au- 

40 thenticating the logging-in user, and building a disk-res- 
ident file containing that user's credentials. At block 300, 
the "set context" block 300 represented a call to the sin- 
gle public API responsible for establishing the previous- 
ly acquired credentials as those which will be subse- 
ts quently associated with newly started application proc- 
esses. The application/credentials association portion 
of the system wide logon procedure is shown in Figure 
2B. At block 200, initialization of the credentials process 
is shown. The "GET" context block 400 establishes the 

50 context for single system wide logon capability. The 
purge/release context block 500 purges/destroys mem- 
ory contents allocated for logon parameters. The DCE 
logoff block 600 is entered from the purge/release block 
500 and terminates the DCE logon procedure. 

55 Turning now to Figure 2C, the invention is further 
illuminated by the overview shown therein. The logon 
process is described in block 20 which consists of ac- 
quiring and storing the credentials. In addition, the 
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"SET" context procedure of block 300 (Figure 2A) is ex- 
ecuted which culminates with setting the Global variable 
to <File Name>. The actual file containing the creden- 
tials is stored in a user's local storage 24. The <File 
Name> variable is then stored in Global Storage 22 un- 
der the variable SINLOGIN. Subsequently created ap- 
plication processes obtain the system wide credentials 
as described in block 26. The security dynamic link li- 
brary (DLL) code 26A contains the process initialization 
logic which is described in Block 200 (Figure 2B). This 
code reads the Global Variable and sets the process 
variable. The <File Name> variable is stored in process 
storage as the variable KRB5CCNAME 26C. Applica- 
tion code 26B contains the "Get" context call, described 
in Block 400 (Figure 2B), which retrieves the credentials 
from the file named in KRB5CCNAME. 

Turning to Figure 3, the flow diagram for the security 
initialization routine is shown. The procedure starts at 
block 202 and proceeds to block 204 where a check is 
done to see if an application is linking tothe DCE. If YES, 
at block 208, the procedure determines if the 
KRB5CCNAME variable is NULL. If the variable is 
NULL, at block 210 the procedure checks if SINLOGIN 
is not NULL. At block 212, the procedure sets the 
KRB5CCNAME variable to equal SINLOGIN. 

Turning now to Figure 4, a flow diagram for the set 
context for the system wide logon is illustrated. The 
method starts at block 302 where the procedure obtains 
the ticket name from the input parameter "login context". 
At block 304, the procedure determines if the SINGLEL- 
OGIN environment variable is set. One skilled in the art 
will appreciate that this is the system logon option. If NO, 
at block 306 the traditional single-window DCE logon is 
initiated. At block 308, the procedure sets 
KRB5CCN AME variable equal to the ticket cache name. 
At block 310, the procedure resets the NOSINGLEL- 
OGON CACHE variable to NULL and marks the default 
context value for the process at block 31 2. At block 31 4, 
the procedure marks the default context equal to the 
login context supplied on the call. One skilled in the art 
will appreciate that this sets the default context (system 
wide) for all other processes to use. Returning to block 
304, if the SINGLELOGIN environment variable is set, 
a check is done at block 316 to determine if the SIN- 
LOGIN segment exist. If YES, at block 318 the proce- 
dure updates the SI NLOGI N with the ticket cache name. 
Returning to block 316, if the SINLOGIN segment does 
not exist, or if the SINLOGIN segment can not be ob- 
tained for write access, then at block 322 the procedure 
stops. 

Turning to Figure 5, the flow diagram for the "get 
context" function is shown. The procedure starts at 
block 402 where a check is conducted to determine if 
the default context is marked valid. If YES, at block 404 
the procedure returns the logon context pointer stored 
in the default context. One skilled in the art will appreci- 
ate that this is the condition where a previous "get con- 
text" call has already created and marked the default 



context valid. Since a default context (system wide log- 
on) is available, it is used as the logon context. Return- 
ing to block 402, if the process default context is not val- 
id, at block 406 the procedure sets the "ticket cache" 
s name equal to the value of the variable KRB5CCNAME. 
At block 408, a check is conducted to determine if the 
ticket cache name is not NULL and the NOSINGLELO- 
GON variable is set. If YES, at block 41 8 the ticket cache 
name is set to null. One skilled in the art will appreciate 
10 that this indicates the process' desire to be associated 
with the machine context. If NO, at block 41 0 the proce- 
dure checks if the ticket cache name is null. If the ticket 
cache name is NULL, at block 420 the procedure sets 
the ticket cache name equal tothe machine context tick- 
's et cache. At block 422, the procedure sets the KRBSCC- 
NAME variable equal to the machine context ticket 
cache name and resets the NOSING LELOGONCACHE 
variable equal NULL at block 424. Returning to block 
41 0, if the ticket cache name is not null, at block 41 2 the 
20 procedures builds the logon context as a function of the 
ticket cache name. The default context is marked valid 
at block 414 and the mark default context is set equal 
to the logon context at block 416. It will be appreciated 
that the context is built (block 414) using the machine 
25 context when the ticket cache name is equal to the ma- 
chine context. 

Turning now to Figure 6, a flow diagram of the 
purge/release context function is shown. At block 502, 
the procedure determines if the process default context 
30 is marked valid and the logon context is equal the default 
context. If YES, at block 506 the variable 
KRB5CCNAME is set to NULL and the process default 
context is marked invalid at block 508. At block 510, the 
NOSINGLELOGONCACHE variable is set to a non- 
35 NULL value and processing continues at block 512. Re- 
turning to block 502, if the process default context is not 
valid, at block 51 2 the procedure checks to determine if 
the purge function has been called. If YES, at block 514, 
the procedure obtains the ticket cache name from the 
40 input "logon context" and unlinks (destroys) the creden- 
tial file at block 516. One skilled in the art will appreciate 
that "releasing memory" in block 524 of this procedure 
does not destroy the credential file contents, however, 
a purge function does clobber/destroy the credential file 
45 contents. A check is carried out at block 518 to deter- 
mine if SINLOGIN was obtained by the write. If YES, at 
block 520 a check is conducted to see if the ticket cache 
name is equal to the value stored in the SINLOGIN. If 
YES, at block 522, the SINLOGIN segment is reset to 
50 NULL and the login context memory is released at block 
524. This is done to keep the desktop from executing 
with a clobbered cache. 

Turning to Figure 7, a generalized computer sys- 
tem/workstation 740 is shown as embodied in a number 
55 of commercially available systems such as the IBM PS/ 
2 computer. (PS/2 is a trademark of the IBM Corpora- 
tion). The current operating system support for the 
present invention is an Intel Microprocessor with Oper- 
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ating System/2. 2.3. With reference to Figure 6, the ba- 
sic components include one or more processing units 
or CPUs 746, hard disk or other permanent storage 742, 
random access memory 748, network communications 
support via an adapter 744, and input/output support to 
display device 754, keyboard 756, pointing device 758 
and floppy diskette drive 760 through I/O controller 750. 
One skilled in the art will appreciate that a computer pro- 
gram product containing computer program logic re- 
corded thereon may be stored on a computer readable 
medium (e.g., floppy diskette) and inputted to the com- 
puter system using the floppy diskette drive 760. These 
components communicate over a system bus 752. 

While the invention has been described with re- 
spect to a preferred embodiment thereof, it will be un- 
derstood by those skilled in the art that various changes 
in detail may be made therein without departing form the 
scope and teaching of the invention. 

Claims 

1 . A method for locating a user's credentials for using 
a local computer system in a distributed computing 
environment, comprising the steps of: 

determining whether a pointer to the user's cre- 
dentials exists, if so, using the user's creden- 
tials; 

if not, determining whether a default set of cre- 
dentials exists, if so, using the default set of us- 
er credentials; and 

if not, using a set of credentials for the local 
computer system. 

2. The method of claim 1 , further comprising the steps 
of: 

determining whether a process can use the de- 
fault set of user credentials; and 

if not, using the set of credentials for the local 
computer system. 

3. Apparatus for locating a user's credentials for use 
in a local computer system in a distributed comput- 
ing environment, comprising: 

means for determining whether a pointer to the 
user's credentials exists, if so, using the user's 
credentials; 

if not, means for determining whether a default 
set of credentials exists, if so, using the default 
set of user credentials; and 



if not, means for using a set of credentials for 
the local computer system. 

4. The apparatus of claim 3, comprising: 

5 

means for determining whether a process can 
use the default set of user credentials; and 

if not, means for using the set of credentials for 
10 the local computer system. 

5. A method of providing system wide logon capability 
to a user at a workstation in a network in a distrib- 
uted computing environment, comprising: 

15 

acquiring and storing a user's credential in a lo- 
cal storage area; 

establishing a logon environment for said sys- 
20 tern wide logon capability; 

detecting the loading of an application calling 
for said system wide logon capability and ac- 
cessing said user's credentials and automati- 
cs cally logging said user onto said network. 

6. The method of claim 5 wherein the step of estab- 
lishing a logon environment includes the step of set- 
ting global storage to said user's credentials in said 

30 local storage area. 

7. The method of claim 6 including the step of storing 
the global storage setting in a process storage area. 

35 8. The method of claim 7 wherein the step of access- 
ing said user's credentials includes the step of re- 
trieving said user's credentials from said process ar- 
ea, if present. 



40 9. The method of claim 7 wherein the step of access- 
ing said user's credentials includes the step of re- 
trieving said user's credentials from said local stor- 
age area when said user's credentials is not in said 
process storage area. 

45 
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